| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c5f75c8d-847f-4f9e-81d6-8297e8ca48b4@linux.dev> Date: Wed, 6 Mar 2024 14:21:07 -0800 From: Martin KaFai Lau <martin.lau@...ux.dev> To: Jamal Hadi Salim <jhs@...atatu.com> Cc: deb.chatterjee@...el.com, anjali.singhai@...el.com, namrata.limaye@...el.com, tom@...anda.io, mleitner@...hat.com, Mahesh.Shirshyad@....com, Vipin.Jain@....com, tomasz.osinski@...el.com, jiri@...nulli.us, xiyou.wangcong@...il.com, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, vladbu@...dia.com, horms@...nel.org, khalidm@...dia.com, toke@...hat.com, daniel@...earbox.net, victor@...atatu.com, pctammela@...atatu.com, bpf@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH net-next v12 14/15] p4tc: add set of P4TC table kfuncs On 3/6/24 12:22 PM, Jamal Hadi Salim wrote: >> I think my question was, who can use the act_bpf_kern object when all tc bpf >> prog is unloaded? If no one can use it, it should as well be cleaned up when the >> bpf prog is unloaded. >> >> or the kernel p4 pipeline can use the act_bpf_kern object even when there is no >> bpf prog loaded? [ ... ] >>> I am looking at the conntrack code and i dont see how they release >>> entries from the cotrack table when the bpf prog goes away. [ ... ] > I asked earlier about conntrack (where we took the inspiration from): > How is what we are doing different from contrack? If you can help me > understand that i am more than willing to make the change. > Conntrack entries can be added via the kfunc(same for us). Contrack > entries can also be added from the control plane and can be found by > ebpf lookups(same for us). They can be deleted by the control plane, > timers, entry evictions to make space for new entries, etc (same for > us). Not sure if they can be deleted by ebpf side (we can). Perusing > the conntrack code, I could not find anything that indicated that > entries created from ebpf are deleted when the ebpf program goes away. > > To re-emphasize: Maybe there's something subtle i am missing that we > are not doing that conntrack is doing? > Conntrack does one small thing we dont: It allocs and returns to ebpf > the memory for insertion. I dont see that as particularly useful for > our case (and more importantly how that results in the entries being > deleted when the ebpf prog goes away) afaik, the conntrack kfunc inserts "struct nf_conn" that can also be used by other kernel parts, so it is reasonable to go through the kernel existing eviction logic. It is why my earlier question on "is the act_bpf_kern object only useful for the bpf prog alone but not other kernel parts". From reading patch 14, it seems to be only usable by bpf prog. When all bpf program is unloaded, who will still read it and do something useful? If I mis-understood it, this will be useful to capture in the commit message to explain how it could be used by other kernel parts without bpf prog running.
Powered by blists - more mailing lists